Voucher Vault
Redzone Rewards — an internal employee rewards portal — exposes a voucher search that concatenates user input straight into a SELECT. Find the hidden administrative voucher.
The Scenario
Redzone is a 600-employee insurance brokerage in Charlotte that launched its internal Rewards portal in early 2024 to replace the gift-card spreadsheet HR had been running since the pandemic. The contractor who built the voucher search was paid by the milestone and shipped the feature the same week the procurement team approved a new redemption tier reserved for the executive floor. The launch-week security pass was scheduled, then bumped, then quietly dropped.
Challenge Intel
Synopsis
A medium SQL injection lab against an employee rewards portal with a permissive search feature.
What It Is
Redzone Rewards is an internal portal where a voucher search query was stitched together from raw user input during a rushed launch week. The flaw is the kind of thing a reviewer spots in five minutes, but that review never happened. A straightforward, satisfying classical SQLi exercise in a believable corporate setting.
Who It's For
Testers ready to move past the very easiest SQLi and tackle a clean mid-tier example.
Skills You'll Practice
- Classical in-band SQL injection
- Search-feature enumeration techniques
- Column and table discovery
- Data exfiltration through reflected results
- Recognising common string-concatenation flaws
What You'll Gain
- A clean, confidence-building mid-tier SQLi solve
- Reinforcement of union-based extraction fundamentals
- Sharper pattern recognition for launch-week code smells
- A reliable reference lab to revisit when drilling basics